Google looks to kill the password using tiny cryptographic card

Google engineers are experimenting with new ways to replace user passwords, including a tiny YubiKey cryptographic card that would automatically log people into Gmail, according to a report published Friday.

In the future, engineers at the search giant hope to find even easier ways for people to log in not just to Google properties, but to sites across the Web. They envision a single smartphone or smartcard device that would act like a house or car key, allowing people access to all the services they consume online. They see people authenticating with a single device and then using it everywhere.

"We'd like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay wrote in an article to be published in the engineering journal IEEE Security & Privacy Magazine, according toWired.

Google's tinkering comes as the protection offered by the average password has never been weaker. As Ars explained last year in our article "Why passwords have never been weaker—and crackers have never been stronger," the combination of newer hardware, advances in cracking techniques, and the combined leakage of hundreds of millions of real-world passwords has made it easier than ever to crack the codes we all use to access our most intimate and business-critical secrets. Passwords are also vulnerable to phishing and other types of social engineering attacks as Wired reporter Mat Honan graphically and eloquently described last year when hackers erased large swaths of his digital life.

The YubiKey device Google is experimenting with uses a modified version of the company's Chrome browser, so there's no additional software to load. It automatically logs users in when the device is inserted in a USB reader. Google also has a protocol for device-based authentication that is not dependent on any of the company's technology. It hopes it will eventually be used widely.

"Others have tried similar approaches but achieved little success in the consumer world," the Google engineers wrote. "Although we recognize that our initiative will likewise remain speculative until we've proven large-scale acceptance, we're eager to test it with other websites."

Promoted Comments

This is a very interesting concept. But the question I have is this. How do you keep the key itself secure? If you use this key on two different websites, if one is compromised, how do you prevent the key itself from getting compromised? You can easily change a password and its possible to maintain passwords between different websites. But what if you use this Yubikey and a website poorly secures the information and the key itself is gained by hackers? How is the Yubikey secured so that your other accounts are not compromised?

I would think it would employ asymmetric encryption. The private key would be baked into hardware and extremely difficult to extract (impossible without destroying the key). This is just Public Key crypto, which is well understood at this point and used everywhere. It doesn't matter if a site gets compromised, because they weren't storing your key anyway. At most what they have is something signed by your key.

This is a very interesting concept. But the question I have is this. How do you keep the key itself secure?

As others have already explained the private key doesn't leave the hardware. Additionally, smart cards all have hardware security including onboard crypto engines. They're in general designed to be one way: private keys can be added, but they cannot be removed under any circumstances even by the owner. That does make backup potentially trickier to do in a consumer-friendly fashion though, there are different tradeoffs to be made in terms of security, reliability, and convenience.

It's still a vastly better solution however. A good asymmetric authentication system would eliminate the authentication risk of database hacks.

111 Reader Comments

It looks like the Yubico website is down, or you could all go read up about it there. Reading the google cache, and a LinuxJournal article from 2009, it looks like it does OTP and some versions act like a USB keyboard. You put your mouse/focus in the password field and click the button on the dongle and it types in a super long one time password for you.

I guess we're all nerds, flying off into the land of much better solutions involving public/private key encryption, etc.

The concept of a password for each service is becoming both unmanageable because of the number of services we all use, and insufficient due to cheap GPU-farm-powered password cracking techniques. Passwords long and random enough to be secure are too unwieldy for average people to want to deal with. Password vaults are a temporary solution but those have their own security risks (single point of failure could compromise everything)

This solution was needed years ago, but better late than never! It takes a Google to really push these technologies into common use, and I am thankful they're finally taking action.

Oh no, people is not going to use an USB key to just log in for gmail . get real.

I can see quite a few governments requiring Google to give them a copy of the key.

If done properly (doesn't seem to be the way Google is doing it), no it absolutely would not, quite the opposite in fact.

ngativ wrote:

So, if you use a USB key, the private key is never going land in the ram? or are you just talking about non-volatile memory?

For a PKI card system that is correct, the private key never leaves the smart card under any circumstances. Even if the system it is connected to is rooted the private key itself cannot be recovered (though obviously plenty of damage could still be done in the mean time).

I'm sure Google would love this from a different perspective. If a user can authenticate across multiple sites with the same credentials, it should make it much easier to track that user across multiple sites - in turn, marketing $$$

That is, of course, why Google are advocating this. It's in their best interests to tie everyone into single identities. Any talk of "security" is just a smokescreen.

Why can not this be done via software? Who on earth wants to carry yet another USB key to just login in gmail?

You don't have to carry them around. You could get one per device you compute from, plug it in, and never pull it out. How many machines do you really use on a regular basis?

I mean, you *could* share this among devices if you want; in that case, attach it to something you always have with you: your cell phone or keychain. Take a look at the Wired article -- these devices are *tiny*, hardly burdensome.

This is a very interesting concept. But the question I have is this. How do you keep the key itself secure? If you use this key on two different websites, if one is compromised, how do you prevent the key itself from getting compromised? You can easily change a password and its possible to maintain passwords between different websites. But what if you use this Yubikey and a website poorly secures the information and the key itself is gained by hackers? How is the Yubikey secured so that your other accounts are not compromised?

Someone might have already said this, but Steve Gibson did a rather long-winded (but clear) segment on the Security Now podcast a few years ago about how YubiKeys are engineered to prevent this. A google search should turn it up if you want to listen.

I mean, you *could* share this among devices if you want; in that case, attach it to something you always have with you: your cell phone or keychain. Take a look at the Wired article -- these devices are *tiny*, hardly burdensome.

The concept of a password for each service is becoming both unmanageable because of the number of services we all use, and insufficient due to cheap GPU-farm-powered password cracking techniques. Passwords long and random enough to be secure are too unwieldy for average people to want to deal with. Password vaults are a temporary solution but those have their own security risks (single point of failure could compromise everything)

This solution was needed years ago, but better late than never! It takes a Google to really push these technologies into common use, and I am thankful they're finally taking action.

Oh no, people is not going to use an USB key to just log in for gmail . get real.

Not sure if you're trolling or what, but in any case... some people, like Ars readers concerned about security, certainly will use devices such as this. I'm moving toward using Google authenticator and two-factor security whenever I can. This is just the first baby step towards the ultimate goal, of adding two or three factor authentication to every service with less hassle. Imagine if any number of accessories, such as watches, phones, or rings, had tiny NFC chips in them. When you buy the thing, you can optionally register it as a secure key for your identity. Then you just have your 2nd factor around by virtue of proximity. If you lose the item you invalidate that key. Of course it doesn't replace the password, but it replaces the password being the ONLY factor, which is proven to be totally unreliable in recent years.

The whole premise of this depends on the ability to only publish the public key while keeping the private key private. In order for this to gain market, they will have to work very hard to make sure the private key is not accessible by malware.

I mean, you *could* share this among devices if you want; in that case, attach it to something you always have with you: your cell phone or keychain. Take a look at the Wired article -- these devices are *tiny*, hardly burdensome.

...but very, very, VERY easy to lose.

(whee, 200th post )

A wedding ring is tiny and easy to lose. But it's important to people so they don't*** lose it. Same here.

Why can not this be done via software? Who on earth wants to carry yet another USB key to just login in gmail?

Because software is not secure. If it's software running on your machine, then somewhere in memory is your private key floating around unencrypted.

This needs to be an external device, but it also needs to ensure it has a PIN or password associated with it. Maybe I need to dig into this more, but the article is implying that they would replace the password with this device. That's a bad idea of course, but adding a YubiKey to any authentication system is going to make it far more secure because of multi-factor.

So, if you use a USB key, the private key is never going land in the ram? or are you just talking about non-volatile memory?

I think if ease of use is the goal, Google is focusing on the wrong thing. We already have hardware-crypto authentication devices in the works: smartphones with NFC and secure elements in them.

The focus should be on a unified protocol to get signed data out of the authentication device and into whatever it is that you're trying to authenticate yourself to.

We already have a protocol for making secure authentication requests; it's called SSH. What's needed is a way to store private keys on a secure device, have that device generate SSH auth requests and have those requests propagate through your PC and web browser, over HTTP to the website.

In order to unlock the private key on the device for use, you have to enter a passphrase on the device (via an app on the phone, a keypad on the device or something similar.)

After entering the passphrase, you connect the device to the PC (whether through NFC, Bluetooth, USB, whatever.)

Computer asks device to generate an SSH auth request for websiteX.

Device generates request and sends it to computer, which propagates it to the browser, which sends it over HTTP to the website.

Website decrypts key and signs you in.

For a new account registration, instead of sending an SSH auth request, the device would simply send the public key

In the event that the secure auth device is lost or passphrase forgotten, the same "forgot password" systems we use today would be appropriate, with additional verification through a text message.

We already have all the pieces required to make this work; we just need someone (most likely one of the major OS or browser vendors) to step up, put the pieces together, and provide strong incentives for websites and other password-protected software to use it.

Why can not this be done via software? Who on earth wants to carry yet another USB key to just login in gmail?

Because software is not secure. If it's software running on your machine, then somewhere in memory is your private key floating around unencrypted.

This needs to be an external device, but it also needs to ensure it has a PIN or password associated with it. Maybe I need to dig into this more, but the article is implying that they would replace the password with this device. That's a bad idea of course, but adding a YubiKey to any authentication system is going to make it far more secure because of multi-factor.

So, if you use a USB key, the private key is never going land in the ram? or are you just talking about non-volatile memory?

Never is correct. The token will do the work required.

This is how smart cards work today. The card itself does the computation and just returns the result. Downside: Smart cards are slow, useless for bulk encryption but fine for authentication or setting up symmetric keypairs.

Dongle-based keys have been around a long time. There is heavy resistance among users to have to carry around a piece of hardware, be it the size of a flash drive or a ring, just to make their other hardware work securely.

If I could carry one dongle that lets me sign in to anything, and does it in a way that means my other logins won't be compromised by one doofus storing my information in plaintext, I would lead a parade for the person who invented it. If I'm being asked to carry a different dongle for every site, then yeah, that can $@!% right off.

So, Mountain View. Is this going to be a Google Key, or an Everything Key, By Google™? they haven't shied away from throwing their inventions to the masses before, so hopefully...

I could see this ultimatly built into our smart phones. They could then communicate with our devices (PC, Mac, iPad, Car, etc. using BlueTooth). It would occasionially prompt for a pass code to unlock the Key. I would also like it to support multiple keys. One for American Express, one for my Bank, etc. Using a single private key would allow the companies to connect all my data by the public key.

Why can not this be done via software? Who on earth wants to carry yet another USB key to just login in gmail?

Because software is not secure. If it's software running on your machine, then somewhere in memory is your private key floating around unencrypted.

This needs to be an external device, but it also needs to ensure it has a PIN or password associated with it. Maybe I need to dig into this more, but the article is implying that they would replace the password with this device. That's a bad idea of course, but adding a YubiKey to any authentication system is going to make it far more secure because of multi-factor.

So, if you use a USB key, the private key is never going land in the ram? or are you just talking about non-volatile memory?

The YubiKey just looks like a keyboard.

For sites that use it (like LastPass), you type in your username and password, as usual, and then there's a third field that has a little green "Y" symbol that you give focus, and then touch the YubiKey. The key then dumps a string of text into the field, and you log in as normal. There's no drivers, or anything on the PC itself. Makes a nice extra protection for your password vault.

There's also a YubiKey that has NFC, if you want to use it with your phone.

To all who assumed this device uses asymmetric cryptography, please read the security paper on the manufacturer's site. This device uses only a unique symmetric key per device, not a public/private key pair and each site you use it with must have your symmetric key so the gentleman with the concern that compromising a singe website compromises all websites is correct. This system is only as secure as the site with the weakest security practices.

Shame on the editors for promoting not one but two user comments with incorrect answers.

The concept of a password for each service is becoming both unmanageable because of the number of services we all use, and insufficient due to cheap GPU-farm-powered password cracking techniques. Passwords long and random enough to be secure are too unwieldy for average people to want to deal with. Password vaults are a temporary solution but those have their own security risks (single point of failure could compromise everything)

This solution was needed years ago, but better late than never! It takes a Google to really push these technologies into common use, and I am thankful they're finally taking action.

Oh no, people is not going to use an USB key to just log in for gmail . get real.

Not sure if you're trolling or what, but in any case... some people, like Ars readers concerned about security, certainly will use devices such as this. I'm moving toward using Google authenticator and two-factor security whenever I can. This is just the first baby step towards the ultimate goal, of adding two or three factor authentication to every service with less hassle. Imagine if any number of accessories, such as watches, phones, or rings, had tiny NFC chips in them. When you buy the thing, you can optionally register it as a secure key for your identity. Then you just have your 2nd factor around by virtue of proximity. If you lose the item you invalidate that key. Of course it doesn't replace the password, but it replaces the password being the ONLY factor, which is proven to be totally unreliable in recent years.

How is that i am trolling? People calling others troll should be admonished if they are going to reply anyways.

Get real, most people are not geeks like ars readers. I considerer myself a "geek", but i really would hate to have to carry a dam usb key to just log in gmail, or have it attached to my laptop all the time. This makes sense if you have very critic data to protect, and if you are a spy or a criminal for instance. And why on earth are you going to storage such important data on google? come on!

There are some valid points against having to use an usb key, if you lose it , forget it or gets damaged , that's going to piss off a lot of people, because that is more likely to happen than someone cracking your (decent) password. How you recover your data quickly if the usb key is destroyed? am just asking

Some people here mentioned built in hardware crypto solutions, that seems to be more convenient. But how i do backup or my migrate my key? Can this be hardware or OS independent? Can this work across any website or software? Can this be decentralized? Is this going to be cumbersome?

Furthermore, websites have to do their part to protect their databases, some of them are just to lazy and even store the passwords in plain text.

Of course we all love to have stronger security and privacy, but my point is that this can not be just a matter of "harder to crack". You have to take into account reliability and convenience factors for users. That's why this old kind of solution never made it mainstream or had widespread use.

[Get real, most people are not geeks like ars readers. I considerer myself a "geek", but i really would hate to have to carry a dam usb key to just log in gmail, or have it attached to my laptop all the time.

I've been following Yubikey for a while as an open-source crypto-identification system it has piqued my security (not paranoid I swear) minded interests. Do yourself a favour and read up a little of how it works.

My question is of course, how far do they plan to take account integration. Will they allow connection of people's Yubikey enhanced accounts with OpenID? I already have my reservations about OpenID. Mostly stemming from the fact that someone may have many online personae, and may wish to keep them separate. When you begin to use something like OpenID you begin to connect accounts across multiple sites and services becoming ever more traceable as you do. This can be a real issue for privacy concerns, or for the person who leaves their computer open and their little sister decides to 'troll' them by performing actions and writing posts on behalf of the account holder which paint them in a less than flattering light. (Which is admitted a user security issue that needs to be trained, more than account security issue which needs to be enhanced or repaired, but it stands that they are authenticated across many services, and with the increase in account security plausible deniability becomes lessened in the public eye.)

I look forward to seeing how this rolls out.

[Edit to respond to additional posts]

C Boy wrote:

ngativ wrote:

[Get real, most people are not geeks like ars readers. I considerer myself a "geek", but i really would hate to have to carry a dam usb key to just log in gmail, or have it attached to my laptop all the time.

Not to mention I can't even find the USB connector on my iPad.

If you read the article you'll notice wearable a ring and near field communication (Bluetooth subset) are alluded to. This would likely be the best implementation as it could be made in a variety of styles and people would pick one to suit their own personal tastes. (Don't like a ring, I'm sure other pieces of wearable tech will come out, necklace/chain, eyeglass frames, etc.)

This is a very interesting concept. But the question I have is this. How do you keep the key itself secure?

As others have already explained the private key doesn't leave the hardware. Additionally, smart cards all have hardware security including onboard crypto engines. They're in general designed to be one way: private keys can be added, but they cannot be removed under any circumstances even by the owner. That does make backup potentially trickier to do in a consumer-friendly fashion though, there are different tradeoffs to be made in terms of security, reliability, and convenience.

It's still a vastly better solution however. A good asymmetric authentication system would eliminate the authentication risk of database hacks.

That still doesn't answer the question of "If I steal your key/device/smartcard/phone then I'll have access to all your accounts, everywhere"

@ngativYou don't have to because unless you are using this for Enterprise access you can have an alternative login. Also the key itself is tiny I carry two on my keyring everywhere!

I have used Yubikey for quite a while and it works well as a two factor cheap alternative to RSA tokens for business. I was made aware of them by my email service http://fastmail.fm (very good, check them out if you are after a step up from free email services).

@C BoyThis is very true, I have just about managed to use it on my Nexus7 but of course it would be impossible on an iPad. They do have an app but its awkward and highlights a bit of a security risk.

The risk I am talking about is a sort of pre-play attack. If someone got hold of your token they can play the next sequence of responses because it acts like a USB keyboard with one key so if you touch the key in notepad it does this.cccccxcvxgrxtjlhcrrluvgvchbcenjnfilrtvdlrbitcccccxcvxgrxfdnlfrdirnkdnhfchtcfegjethnerffu(key slightly altered for privacy)

These responses are not related to time they just have to be used in the correct order and can only be used once against an authentication server. Meaning they could authenticate that factor of your password at a later time as long as you had not already authenticated against that server.

If they used a keylogger to get your other factor then you have a window of time when you have problems but as soon as you use your key again it makes all the responses they collected useless as they are now older in sequence.

If someone is stupid enough to use the key with multiple authentication servers they open themselves up to re-play attacks as well.

Edit.RSA has similar risks if you just steal the token and use it before its reported!Also I think some people here don't really get how Enterprise two factor authentication works in the real world. Google is doing a good thing bringing this kind of security to normal internet users.http://en.wikipedia.org/wiki/Two-factor_authentication

They also have an NFC version (NEO) so now Android, Blackberry & Windows mobile devices are covered, Apple may catch up in a bit.

The requirement for better technology than passwords has been around for a long time. The Internet's security experts made it a focus during all of the 8 years that I attended the IETF. They produced nothing of value. Microsoft has also made major efforts in that direction for more than a decade. If anything has come of it, I have missed it. Hype abounds in the security world. But results are scarce.

Works better if it treats the PC it's plugged into as being as untrusted as a plaintext network connection. That's really only possible if the key has a display so the user knows what is being signed with it. I think having a hardware security module in a mobile phone with an LED where you know the HSM has full and exclusive control over the phone's input controls and display would be better than a key you can be fooled into signing something with, when you don't know what you're signing because that depends upon what's running on the PC, the USB port of which this thing is plugged into.

That still doesn't answer the question of "If I steal your key/device/smartcard/phone then I'll have access to all your accounts, everywhere"

That's because this has been answered already, Yubikey is a part of MULTI-FACTOR identification. That means more than one thing is tested against "Something you have" is the Yubikey "Something you know" is a password. "Something you are" is biometric data. All of these things in conjunction is known as "multi-factor identification"

----

As to the point about people "losing" their Yubikey, what I gathered from actually reading the article, is Google has already thought of the risk of carrying a USB key or dongle, especially one as small and portable as the stock yubikey (PLEASE go look at the website and check the FAQs there. Or as we say in the industry "RTFM")

The obvious solution to this as read in the article, was a ring. Or in general "jewelry" people treat their jewelry with a respect and care that is seldom observed with other possessions. A watch, a ring, a necklace etc. I have watches that don't even work still carefully put away and accessible.

Works better if it treats the PC it's plugged into as being as untrusted as a plaintext network connection. That's really only possible if the key has a display so the user knows what is being signed with it. I think having a hardware security module in a mobile phone with an LED where you know the HSM has full and exclusive control over the phone's input controls and display would be better than a key you can be fooled into signing something with, when you don't know what you're signing because that depends upon what's running on the PC, the USB port of which this thing is plugged into.

The Yubikey is a Hardware Security Module, it doesn't matter what you plug it into because whatever you are authenticating against should always be two-factor. They need the other factor and they cannot extract responses from the key itself so malware could not collect a full authentication sequence even if it had full control of your device.

I would rather have a key under my full control because I have to plug in and touch physically or NFC than a device built into something under software control. Analogy - you can't hack a PC on the other side of the world that is not connected to a network but most connected to the internet would fall eventually!